We help IT Professionals succeed at work.

WSUS

Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Hello - Can anyone share how they manage patches via WSUS. What is the best way to plan and deploy updates?

Thank you,

sysnimda
0
getting confused with the various types of update.  I thought security only was just that one update nothing historical.  and cumulative was historical as well.   but we also see quarterly security only  and quarterly roll up

also wsus offline (third party app) . if I skip a month  will I be missing patches after I put the next month in, if they were security only ?
0
The problem I am having is that I have configured WSUS to use BranchCache using  BITS.
The Windows 10 clients are not members of domain thus we use local policy and they talk to the WSUS box fine and the approved updates are coming down without a problem, even branchcache works fine, except updates are coming down from WSUS server and always at full speed, no BITS throttling at all.

I see downloads are via BITS in PerfMon - BITS:Bytes from server
and also via PS C:\Windows\system32> Get-BitsTransfer -AllUsers

In first step I enabled

Network/Background Intelligent Transfer Service (BITS)                        
      Allow BITS Peercaching      Enabled            
      Limit the maximum network bandwidth for BITS background transfers      Enabled            
                  Limit background transfer rate (Kbps) to:      0
                  From      6:00 AM
                  To      12:00 AM
                  At all other times      
                  Use all available unused bandwidth      Enabled
                  OR      
                  Limit background transfer rate (Kbps) to:      20
I expected no transfer but there was no limit - update was downloaded from WSUS server as before during working hours.

In second step I also enabled
      Set up a work schedule to limit the maximum network bandwidth used for       Enabled            
      Ignore bandwidth limits if the source and the destination are on the same subnet.      Disabled            
                  Work Days      
                  From      Monday
                  To      Saturday
                        
                  Daily Work Hours      
                  From      6:00 AM
                  To      12:00 AM
                        
                  Bandwidth Limits During Work Hours      
                  High Priority Limit:      0
                  High Priority Unit:      Kbps
                  Normal Priority …
0
SCCM Client Settings for Software Updates

in SCCM Client settings, there are these options:

--When any software update deployment deadline is reached, install all other software update deployments with deadline coming within a specified period of time

--Period of time for which all pending deployments with deadline in this time will also be installed


Any SCCM expert to explain what they mean by that ?

Thank you
0
Updates in WSUS not showing in SCCM

I can see Updates in WSUS Console.
a
But I cannot see them in SCCM Console:
a
I run Synchronization as well as Summarization, but still cannot see those updates in SCCM Console.

Thank you
0
How to revert Expired Updates back to Non Expired.

In WSUS,  I have selected software updates and declined them. Now in WSUS they Show as Expired. I would like to roll back so that the will not show as expired in SCCM.

I wonder if I Approve the declined updates will hep revert them to non expired ?

I also would like to know when you Run Synchronize Software Updates from SCCM, will this Synchronize with your WSUS server, or with Microsoft Update Server, assuming your WSUS server does not have another upstream update server.



Thank you
0
Hi

I have to defer Windows updates 14 days for all unmanaged clients. How can I do this with a PowerShell script?
All clients are Windows 10 1909 Pro.

Thanks
0
I've configured WSUS to install the feature updates to upgrade our Win10 Pro laptops to v1909. The upgrade schedule works like a champ if a user is signed out, however i need it to install while the user is logged on - just not reboot automatically.  Unfortunately, the installs are NOT occurring without user intervention/clicking Install Now button. This is confusing as it's set to Auto Download and schedule the install, not schedule install only if noone is logged on - that's for reboots, not installs. And we're a large company, we cannot depend on all users to go to Windows Updates to click Install is not an option.

I've attached my GPO settings. Please advise on how i can configure the behavior to install automatically while users are logged in - without requiring the user to go to Windows Updates and hit the Install Now button.  They'll need to do the reboot - of course - but this should still install on the scheduled time.

* My company is exclusively laptops, so installing during the evenings is not an option.
WSUSconfig.docx
0
Windows Superseded Updates:

On the screenshot below, I would like to know when we should select the options indicated by the red arrows:
Thank you
a
0
SCCM Run Summarization

Any SCCM Expert to explain what Run Summarization accomplish ?

Thank you
0
Windows Updates Required vs Critical.

I have Windows Updates search on the screenshot below. I would like to know why when an update severity shows Critical , but the Required field is 0, means not required

Thank you
a
0
I had finished setting up WSUS on 2016 core and let the initial sync run last night.  Early this morning, it suddenly failed with certificate errors and can't connect.  Nothing has changed so don't know why it suddenly started doing this.  Trying to connect to the console says the certificate cannot be validated.  I am using our wildcard cert (expires in July).  It was working yesterday after importing the pfx through the windows admin center so have no idea why it just suddenly stopped working.  In the softwaredistribution.log I see "Error: RemoteCertificateNameMismatch" which makes no sense.  I have restarted the server but makes no difference.
0
We have Win10 Pro laptops, and need to upgrade to the latest version of Win10 Pro, which are on all different editions (1709, 1803, etc) to the latest Win10 Pro ver1909. We use our KMS server with MS volume licensing to register our laptops (we do not want Enterprise).  I have 2 questions:

1. Would the ver1909 be comprehensive and i just need to run that version no matter the original on our laptops to upgrade from? (1709, 1803, etc - we currently have all different Pro versions on the domain)

2. I have choices in WSUS to upgrade our Win10 Pro versions:

     - Feature update to Win10 (consumer edition)
     - Feature update to Win10 (business edition)
     - Feature update to Windows 10 version x64 via Enablement Package

              Which of these should i choose in WSUS?
0
I have a 2012 server running wsus and several other things.  I want to separate wsus and put it on 2016 core.  I got all those pieces done but the last part that isn't work is the certificate.  We have a wildcard cert for the domain.  Normally I would just import the pfx through the mmc but being core, have to do through powershell.  I used import-pfxcertificate and it worked.  However, it only imported the certificate, not the entire chain as it would if I imported through the mmc.  Any ideas how to get the entire cert chain in there?  without that, the wsus console won't connect saying it can't verify the certificate.
0
Dear Experts,

I am trying to formalize our server update procedures.  Since the existing procedure was not created recently, I would like to bring it to date.
We have a WSUS server, and I was thinking of using Group Policy for deployment.  (right now, we are using SolarWinds patch manager, and manually pushing the patches every week)
I am only including Microsoft Windows Server and SQL Server updates, and we have test server group we can use first before rolling out to production.
I would like to know what would be the more recent best practices for:

1. How long I should wait to deploy the patch after it comes out. (Unless it is Zero-day security category)  
2. How should I track the success/failure rate, besides going through WSUS app report on the WSUS server.
3. What should be the Automatic Approval policy?  Always with Critical patches?
4. Is there a better way rather than using GPO?

Please advise.  Thank you.
0
I have a windows 2016 server. I get "Security Update for SQL Server 2016 Service Pack 2 CU (KB4535706) failure error when I patch the server. The other Windows patches are ok.
Experts out there might have a solution for this. I would appreciate it if you could shed light on this.
0
Windows Update WSUS on Windows 2012 R2 Server

I just changed the Configure automatic updating from a 3 Auto download and notify for install  to 4 Auto download and schedule the install   schedule install day 0  every day and scheduled install time 03:00

The Install during automatic maintenance option is not checked

This is all configured using a GPO

The process installed the updates on most of my computers and servers some took the second day and that is ok.

My issue is that on some of the computer and servers they automatically rebooted and for the servers I wish this not to happen the desktops it is ok.

On the windows 2016 Servers this happens

On the 2012 R2 servers when I logged on I saw Installed updates have been applied and will restart in 1 day

Any way that I can stop the automatic reboot ?

Thank you

Tom
0
Hi,

I’m attempting to setup and configure BranchCache (Distributed mode) to assist with updating our clients.  
Some background info:
Windows Firewall disabled on WSUS server
WSUS to update clients - Single WSUS server running 2012 R2.
2 clients in
BranchCache installed and configured on WSUS Server.
BranchCache enabled on clients for testing.

Monitoring client IEBQ01337POS02T via Perfmon and wireshark shows that all content is being received from the WSUS server, with no caching and nothing coming from cache or peer. Client GBBQ0137POS02T is thus I assume not utilizing BranchCache at all and the second client IEBQ01337POS02T  is using BranchCache and caching content locally. So first download on second client is from wsus server and when you uninstall and delete updates from SoftwareDistribution folder it is then taken from local cache. I only have these two clients to play with and I can't force the first one to use BranchCache and I don't know why.

Have I missed anything?  It seems I have configured everything but updates are fully downloaded over the WAN link from the WSUS server.
Please for more details see document attached.
Thanks a lot for support in advance,
Manual_WSUS_Configuration.docx
0
Hi, I'm working on updating / upgrading our WSUS infrastructure from Windows Server 2012 R2 to Windows Server 2019.  ANd since I am building from scratch, I figured I would reevaluate some settings.

The one in particular is whether to implement SSL (8351) or stick to the default (8350) as I've done in the past.

So, I figured why not ask the experts (gurus) in the community to see how they run their WSUS environment.

The other items is what do you typically run for downstream servers, autonomous or replica?


Thanks in advance.
0
So far

enabled "built in Admin account" and tried all items below (not necessarily in the order shown) in that context:

Troubleshooter, said it had found and fixed problems. The only one identified was getting BITS up and running again

ran DISM with "restorehealth" etc
ran SFC /scannow

attempted setting services
UsoSvc already running, no problem

Wuauserve disabled. Set to automatic. Started.
WaaSMedicSvc - disabled. Tried to set to automatic. Access denied.

Found refs to that happening when you try to DISABLE the service and that you can only do it with a 3rd party tool like Windows Update Blocker.

I do use a 3rd party tool - Winaerotweaker - which effectively disables windows updates whereever I want it to. But re-enabling them is as trivial as disabling them (remove 2 ticks) and that works across my client estate with Win 10 versions from 1511 to 1909 so I don't believe that it's the guilty party on this occasion.

Went to regedit

Waasmedic and Wuauserv both Start values set to 4, Reset to 2

on reboot or any attempt to restart services, those values reverted to 4 (disabled)

Changed ownwership on both keys from SYSTEM to Administrator, Reset start key.   Same behaviour (reverts on reboot or attempt to run services
 

Downloaded windows10.0-kb4524569-x64
(latest service settings for 1903)

attempted to run multiple times before during and after the above fixes.

consistently failed to run with error 0x80070422

Am about to …
0
Hi experts.

We use Sharepoint 2016 and 2019.
Both are patched  by WSUS. Starting in December '19, the updates for these products where no longer downloaded by WSUS, nor can they be imported manually.

Can you please confirm this?
In WSUS (version does not matter), right click the updates section and search for update ID 4484215 (january 2020 update for sharepoint 2016) - does your WSUS find it?
To be detected, the office 2016 product needs to be enabled, of course (Sharepoint is part of office in WSUS)

For those of you, who have office 2019 enabled in WSUS, please try to search for update ID 4484224

I suspect that MS has screwed up something, since it stopped to detect these updates in december already.
0
We have a the following topology:

A. (5) Regions. WSUS at the Region with a SQL Database
B. 100 Branch Offices. WSUS as a VM at each office. No SQL.

We are having issues at the Branch Offices with the WSUS DB filling up with the native SQL Lite at 10GB.

A couple of questions:

1.  Can the WSUS at the Remote offices access the Regions WSUS SQL to prevent this? If so, how?
2. Can the Branch Offices WSUS utilize WID to alleviate the 10GB limit on SQL Lite?

Any recommendations or suggestions are welcomed.
0
Hi, We have a scheduled task that downloads Office 365 updates to our Wsus Server > WsusContent\Office365\Office\Data
This has versions running back to 2017 and is taking up a lot of space.
A normal Server Clean Up wizard within the WSUS console doesn't touch this folder.
Is it safe for me to manually delete the older folders and corresponding .cab files?
i guess i need to leave the v64.cab file
regards
RickWSUS folder
0
We are using WSUS configured on Windows 2012 R2 to patch our Server in domain

It has been observed most of the times 60 % Boxes are not reporting /communicating  with WSUS

Need to diagnose if that is because if  Group Policy or something else ?

How can we diagnose /validate the same if policy is applied in right wy to get server communication with WSUS?

Please help  with your best practice  if any tool /steps /diagnostic utility we can follow to get this fixed
Thanks
1
I need some help here to understand why our WSUS implementation is not updating Win 10 1809 to 1903 or 1909. You can see in the attached screenshots that the updates are approved for install but they simply will not install. I have gone through all I can find about this so finally thought I's throw up a hail-mary here to see if someone can shed some light.

In the attached screenshots, you will see that the required updates are approved for installation, but their status is "downloaded". I am not sure what that means and I have been unable to find out too :/

Thanks in advance and please let me know if there is any info you need.

WSUS - on a Win2019 Server
classifications.JPG
general.JPG
products.JPG
updates.PNG
0

WSUS

Windows Server Update Services (WSUS), previously known as Software Update Services (SUS), is a computer program developed by Microsoft that enables administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers.

Top Experts In
WSUS
<
Monthly
>